🛠️Stealth with C2
This technique can be used only after having obtained an initial access on the target
Last updated
Was this helpful?
This technique can be used only after having obtained an initial access on the target
Last updated
Was this helpful?
This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the category name. Wanna help? Please reach out to me: @_nwodtuhs
once you have a shell on the victim, one of the most discreet ways to execute code is through object file because the idea is to avoid creating a sub-process but rather to allocate memory to run code and then resume its initial size.
Here is an example of how to launch the BoF (Beacon Object File) once compiled. The source code is available here and the goal is to verify if we are dealing with a virtual machine or not.
For example, if you need the RegCloseKey function.
Look at the Windows documentation (in our example https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regclosekey) to get the list of the arguments.
In our case :
Then, get the name of the library used (at the bottom of the page) in our case it is : Advapi32.lib
We have to structure it like this : DECLSPEC_IMPORT LSTATUS WINAPI <lib>$<Function>(<Args List>);
Still in our case, we will get this: DECLSPEC_IMPORT LSTATUS WINAPI ADVAPI32$RegCloseKey(HKEY);
Simply use the function like this in our code: ADVAPI32$RegCloseKeyA(hKey);
In addition, to use theses functions download the library "beacon.h" available here.
It is also possible to load a library and then call the method using methods like GetProcAddress or LoadLibraryA.
Below is an example of how to use this approach:
More information at this URL: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm.
